Marriott fined £99m for 2018 data breach

ICO says the hotel chain 'failed to undertake due dilligence' in Starwood acquisition

The Information Commissioner's Office (ICO) has said it will fine Marriott International over 99 million following a breach of its systems that led to the exposure of approximately 339 million guest records.

The hotel chain revealed in November that an unknown third-party had gained unauthorised access to its Starwood guest reservation system by exploiting an unpatched vulnerability dating back to 2014.

Of the 339 million records accessed, it's thought around 30 million were related to residents of 31 countries in the European Economic Area, including seven million belonging to UK citizens.

Following an investigation by the ICO, it was found that Marriott, which bought the Starwood brand in 2016, "failed to undertake sufficient due diligence" during the acquisition and missed the vulnerability as a result. The hotel chain has now been fined 99,200,396 for infringements of GDPR.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Despite the large fine, the ICO said the Marriott has co-operated with its investigation and has made improvements to its security arrangements since the breach came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

It's been a busy week for the UK's data watchdog after announced its intent on Monday to fine British Airways for a similar data breach in September 2018. On that occasion, the penalty was a record-breaking 183 million after hackers compromised the personal data of half a million customers.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021